Associate dependency with source #593
Comments
|
The way I've solved this issue is setting the |
|
I could do that in principle yes, but not with my current setup, not with the way gitlab has implemented per-project packaging. I would need a proxy that implements this multi-project fallback. |
|
It appears that gitlab does have a plan for this: https://gitlab.com/groups/gitlab-org/-/epics/3612
|
|
Getting this back on track (disregarding PyPI proxy ideas), is this something that pdm could solve on the client side? |
|
pdm is complying with PEP 621 as the project metadata format. There is no room for such information to put in line with the dependency. Unless we use a table under |
|
Fair enough. Closing as wontfix. |
|
Another mitigation for this dependency confusion issue is to follow some pattern for naming your internal packages, such as reducing the chances a public package uses the same name. Something like org-team-project-name. You'd have to keep this pattern and name private/hidden/secret of course (not public). |
|
Another question: does PDM resolve packages from multiple indexes in a deterministic way? Perhaps you could list your private index under the "pypi" name, and then list the official PyPI as an extra index. |
|
What about allowing users to specify the "order" of the sources to check? If so, what would the name be? naming is a headache.. |
|
Aren't TOML tables ordered already? You could just take advantage of the order that they are listed in the table. One tricky part would be figuring out at which priority the implicit official Some examples of what I mean: Single additional source [tool.pdm]
[[tool.pdm.source]]
url = "https://pypi.private-domain.org/simple"
verify_ssl = true
name = "custom-index-1"Results in a priority:
Multiple additional sources, with the official PyPI being overridden [tool.pdm]
[[tool.pdm.source]]
url = "https://pypi.other-private-domain.org/simple"
verify_ssl = true
name = "custom-index-2"
[[tool.pdm.source]]
url = "https://pypi.private-domain.org/simple"
verify_ssl = true
name = "custom-index-1"
[[tool.pdm.source]]
url = "https://pypi.org/simple"
verify_ssl = true
name = "pypi"Results in a priority:
This of course relies on pip respecting the order of |
|
@ElijahSink This is how it is working currently, but that the package version in the private index must be higher than PyPI to get chosen. |
@frostming is that an implementation detail of pip or something that PDM can control? |
|
@ElijahSink Unfortunately the former, pip fetches candidates from all indexes and sorts them together to get the best match. We already have a plan to implement our own package finder to replace pip's. So let's leave it for this release and do improvements in the future. |
|
@frostming Where is the right place to discuss the implementation of the new package finder? |
|
It is just an idea in my mind, no issue or discussion to track. |
I have two entries in my pyproject.toml of the following form.
This possibly causes a name collision issue if somebody uploads a package called
internal-packageto pypi: (will pdm use the package from pypi or from my custom source?It also appears to slow down pdm, as I presume pdm is searching for requests, pandas etc. in my custom source instead of only on pypi.
Both of these issues could be solved if there were a way to associate a particular dependency with a particular source.
The text was updated successfully, but these errors were encountered: